CVE-2026-48594 - High Severity Vulnerability
Vulnerable Library - tesla-1.16.0.tar
HTTP client library, with support for middleware and multiple adapters.
Library home page: https://repo.hex.pm/tarballs/tesla-1.16.0.tar
Path to dependency file: /OPENAPI-REST-API/openapi-client/elixir/mix.exs
Path to vulnerable library: /home/wss-scanner/.hex/packages/hexpm/tesla-1.14.tar
Dependency Hierarchy:
- ❌ tesla-1.16.0.tar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.
When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.
This issue affects tesla: from 0.6.0 before 1.18.3.
Publish Date: 2026-06-02
URL: CVE-2026-48594
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-mc85-72gr-vm9f
Release Date: 2026-06-02
Fix Resolution: tesla - 1.18.3,https://github.com/elixir-tesla/tesla.git - v1.18.3
Step up your Open Source Security Game with Mend here
CVE-2026-48594 - High Severity Vulnerability
HTTP client library, with support for middleware and multiple adapters.
Library home page: https://repo.hex.pm/tarballs/tesla-1.16.0.tar
Path to dependency file: /OPENAPI-REST-API/openapi-client/elixir/mix.exs
Path to vulnerable library: /home/wss-scanner/.hex/packages/hexpm/tesla-1.14.tar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in elixir-tesla tesla allows a denial of service via decompression bomb in HTTP response bodies.
When Tesla.Middleware.DecompressResponse or Tesla.Middleware.Compression is included in a Tesla middleware pipeline, HTTP response bodies are decompressed eagerly with no size limit. The decompress_body/2 function in lib/tesla/middleware/compression.ex passes the entire response body to :zlib.gunzip/1 or :zlib.unzip/1 without any cap on the output size. Additionally, compression_algorithms/1 splits the content-encoding header on commas and decompress_body/2 recurses once per token, applying a decompression pass on each iteration. A server advertising content-encoding: gzip, gzip, gzip, gzip causes four recursive decompression passes, yielding exponential amplification: each gzip layer can expand its input roughly 1000x, so a payload of a few hundred bytes on the wire inflates to gigabytes of BEAM heap, exhausting memory and crashing or freezing the calling process.
This issue affects tesla: from 0.6.0 before 1.18.3.
Publish Date: 2026-06-02
URL: CVE-2026-48594
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-mc85-72gr-vm9f
Release Date: 2026-06-02
Fix Resolution: tesla - 1.18.3,https://github.com/elixir-tesla/tesla.git - v1.18.3
Step up your Open Source Security Game with Mend here